CVE-2015-1641 and CVE-2015-2545 Are Today’s Most Popular Microsoft Word Exploits

Office exploit kits updates drop support for CVE-2012-0158. Two newer vulnerabilities targeting the Microsoft Office suite have become very popular in recent months, as Office exploit kit makers have updated their code and added support for the newer CVE-2015-1641 and CVE-2015-2545 exploits.

For more than four years, APT groups and cyber-crime gangs have been very attached to the CVE-2012-0158 Office exploit that used a weakness in how ActiveX controls were handled to infect the underlying system with malware.

Many infosec professionals were puzzled that cyber-criminals continued to use such an old exploit to distribute malware, especially after three or four years had passed since its discovery.

CVE-2012-0158 slowly losing in popularity

First signs that things started to change appeared during this spring. Two newer Office vulnerabilities have exploded in terms of usage, while the older CVE-2012-0158 has begun to disappear from malware and spam campaigns.

According to a recent report from Sophos Labs, the company’s expert, Gabor Szappanos, has tied the rise of these two new exploits with updates to several Office exploits kits, which have removed support for the older exploit, and added the newer CVE-2015-1641 and CVE-2015-2545 instead.

Office exploit kits are ready-made applications which automate the process of creating malformed Office files that can leverage security vulnerabilities to install malware on a device. They are just like regular exploit kits, but for creating malicious Word, Excel, and PowerPoint files.

Office exploit kits dropped CVE-2012-0158

Szappanos says that the three major players in the Office exploit kit market, AK-1, DL-2, and MWI have all received updates these past months.

AK-1 was updated to AK-2, and during the process, dropped CVE-2012-0158 and added CVE-2015-1641.

DL-2, the Office exploit kit used by the Fareit and Zbot malware gangs, has shifted to primarily using the CVE-2015-2545 vulnerability.

MWI, or the Microsoft Word Intruder kit, has dropped support for CVE-2012-0158 and replaced it with CVE-2015-1641.

Newer exploits guarantee a higher infection success rate

The reason behind this is simple. As the XP market has started to shrink, so did CVE-2012-0158 usage. The migration of these Office exploit kits to newer vulnerabilities makes perfect technical sense.

We already noted in a previous article the rise of the CVE-2015-2545 vulnerability among cyber-espionage APT groups. This vulnerability allows attackers to embed malicious EPS (Encapsulated Postscript) payloads as images inside Office files. The vulnerability affects Office 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1, and has started to become popular with cyber-crime gangs, not only APT groups.

On the other hand, CVE-2015-1641 was seen by security firms in a smaller numbers of high-profile infections specific to targeted APT attacks, but according to Sophos, the exploit has been the favorite of cyber-criminal groups, being found in large numbers of spam emails.